From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fix for new SELINUXMNT in /sys SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should add rules to access sysfs. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang Signed-off-by: Joe MacDonald --- policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` type security_t; ') + # SELINUXMNT is now /sys/fs/selinux, so we should add rules to + # access sysfs + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs @@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun type security_t; ') + dev_dontaudit_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs @@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem mount; ') @@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem remount; ') @@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem unmount; ') @@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem getattr; ') @@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs' type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:filesystem getattr; ') @@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir getattr; ') @@ -220,6 +235,7 @@ interface(`selinux_search_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir search_dir_perms; ') @@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs', type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir search_dir_perms; ') @@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') @@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; @@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -345,6 +365,7 @@ interface(`selinux_load_policy',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -375,6 +396,7 @@ interface(`selinux_read_policy',` type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; @@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans' type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; @@ -528,6 +550,7 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -552,6 +575,7 @@ interface(`selinux_validate_context',` type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir list_dir_perms; dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; @@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -639,6 +666,7 @@ interface(`selinux_compute_member',` type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts type security_t; ') + dev_getattr_sysfs_dirs($1) dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms;